Hi Kevin, On Wed, Feb 25, 2015 at 5:18 PM, Kevin Ingwersen (Ingwie Phoenix) < ingwie2...@googlemail.com> wrote:
> Here are my cents to this RFC, as it just keeps popping in in my inbox and > its beginning to be one that I wish I could ignore. > > First, … file extensions? A default Apache configuration and some Nginx > configurations actually accept more than one file extension. This RFC does > not include any way to specify a variety of extensions that should be > blocked, ignored or treated else. > It's described in the implementation details section of the RFC. This RFC do not address Web server configuration issues. Scripts opened by Web servers are just executed as configured. Your PHP code is only so secure as you make it. If you are in need for such > an RFC just to block a few „rare cases“, then I would rather suggest you to > either check your source or hand it to a professional to get it > counter-checked. > > Besides of that, it is never a good idea to let a user upload /everything/ > that they want to. A proper MIME-type check can be helpful in these > scenarios. > MIME-type check cannot help at all as it does not guarantee no embedded PHP scripts in it. Even image resize nor removing exif info cannot help. Without this RFC, single script inclusion vulnerability is enough to take over victim server for most systems. Again, I would not vote for the RFC and I do not think positive about it, > since I see it very unnecessary. > Then, it means you misunderstood the issue here. Thus, if an attacker really wants to get into your business, they have more > than one way to do so - for instance, exploiting the web server itself. > Exploiting PHP programs is much easier for attackers. That's the reason why attackers check vulnerable PHP programs. Check your web server access/error logs, you'll see what I mean. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
